Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

User Accessed Suspicious URL Categories

Back
Idfb0f4a93-d8ad-4b54-9931-85bdb7550f90
RulenameUser Accessed Suspicious URL Categories
DescriptionCreates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.
SeverityMedium
TacticsInitialAccess
CommandAndControl
TechniquesT1566
T1071
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml
Version1.0.5
Arm templatefb0f4a93-d8ad-4b54-9931-85bdb7550f90.json
Deploy To Azure
SymantecProxySG
| mv-expand cs_categories
| where cs_categories has_any ("Suspicious","phishing", "hacking")
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)
status: Available
id: fb0f4a93-d8ad-4b54-9931-85bdb7550f90
query: |
  SymantecProxySG
  | mv-expand cs_categories
  | where cs_categories has_any ("Suspicious","phishing", "hacking")
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml
description: |
    'Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.'
name: User Accessed Suspicious URL Categories
relevantTechniques:
- T1566
- T1071
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: cs_userdn
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: c_ip
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
queryFrequency: 1h
queryPeriod: 1h
version: 1.0.5
kind: Scheduled
tactics:
- InitialAccess
- CommandAndControl
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb0f4a93-d8ad-4b54-9931-85bdb7550f90')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb0f4a93-d8ad-4b54-9931-85bdb7550f90')]",
      "properties": {
        "alertRuleTemplateName": "fb0f4a93-d8ad-4b54-9931-85bdb7550f90",
        "customDetails": null,
        "description": "'Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.'\n",
        "displayName": "User Accessed Suspicious URL Categories",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "cs_userdn",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "c_ip",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml",
        "query": "SymantecProxySG\n| mv-expand cs_categories\n| where cs_categories has_any (\"Suspicious\",\"phishing\", \"hacking\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "techniques": [
          "T1071",
          "T1566"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}